FreeBSD Tor Relay as unprivileged user using Port Mapping/NAT

There are 2 main steps to getting a TOR relay working on FreeBSD:

  1. Installing and configuring Tor
  2. Using an edge router to do port translation

In my case I wanted TOR to run it’s services on ports 80 and 443 but any port under 1024 requires root access in UNIX systems.

So I used port mapping on my router to map the ports.

Begin by installing TOR and ARM from:

/usr/ports/security/tor/

/usr/ports/security/arm/

Arm is the Anonymizing Relay Monitor: https://www.torproject.org/projects/arm.html.en

It provides useful monitoring graph and can be used to configure the torrc file.

Next step edit the torrc file:

$ sudo vim /usr/local/etc/tor/torrc

Uncomment or add the following lines:

#Not recommended BUT. I use tor on other devices on my LAN that can’t use the TOR

# Browser Bundle. Do not forward this port to the internet!

SOCKSPort 10.0.0.135:9050 # Default: Bind to localhost:9050 for local connections.

SOCKSPolicy accept 10.0.0.0/16

Log notice file /var/log/tor/notices.log

DataDirectory /var/db/tor

ControlPort 9051

#The following tells TOR to open the port on 9090 but advertise port 443,

# this allows you to run TOR as an unprivledged user then bind the port using NAT on

# your router to the correct port.

ORPort 443 NoListen
ORPort 10.0.0.135:9090 NoAdvertise

OutboundBindAddress 10.0.0.135 #Put in your LAN address

Nickname networkingbsdblog

RelayBandwidthRate 2000 KBytes # Throttle traffic to 100KB/s (800Kbps)
RelayBandwidthBurst 3000 KBytes # But allow bursts up to 200KB (1600Kb)

ContactInfo Random Person <enteryouremailhere>

#As above this tells to bind to port 9090 locally but advertise as port 80

# this way TOR doesn’t need to run as root as the router maps the LAN:9099

# to WAN:80

DirPort 80 NoListen
DirPort 10.0.0.135:9099 NoAdvertise #Add your LAN IP here
DirPortFrontPage /usr/local/etc/tor/tor-exit-notice.html

#The following allows a LOT of services through the relay. Comment out what you don’t

# want. Removing ports 80 and 443 will effectively kill off 99% of relay traffic.

ExitPolicy accept *:20-21 # FTP
ExitPolicy accept *:22 # SSH
ExitPolicy accept *:23 # Telnet
ExitPolicy accept *:43 # WHOIS
ExitPolicy accept *:53 # DNS
ExitPolicy accept *:79 # finger
ExitPolicy accept *:88 # kerberos
ExitPolicy accept *:80 # kerberos
ExitPolicy accept *:110 # POP3
ExitPolicy accept *:143 # IMAP
ExitPolicy accept *:194 # IRC
ExitPolicy accept *:220 # IMAP3
ExitPolicy accept *:389 # LDAP
ExitPolicy accept *:443 # kpasswd
ExitPolicy accept *:464 # kpasswd
ExitPolicy accept *:465 # URD for SSM (more often: an alternative SUBMISSION port, see 587)
ExitPolicy accept *:531 # IRC/AIM
ExitPolicy accept *:543-544 # Kerberos
ExitPolicy accept *:554 # RTSP
ExitPolicy accept *:563 # NNTP over SSL
ExitPolicy accept *:587 # SUBMISSION (authenticated clients [MUA’s like Thunderbird] send mail over STARTTLS SMTP here)
ExitPolicy accept *:636 # LDAP over SSL
ExitPolicy accept *:706 # SILC
ExitPolicy accept *:749 # kerberos
ExitPolicy accept *:873 # rsync
ExitPolicy accept *:902-904 # VMware
ExitPolicy accept *:981 # Remote HTTPS management for firewall
ExitPolicy accept *:989-990 # FTP over SSL
ExitPolicy accept *:991 # Netnews Administration System
ExitPolicy accept *:992 # TELNETS
ExitPolicy accept *:993 # IMAP over SSL
ExitPolicy accept *:994 # IRCS
ExitPolicy accept *:995 # POP3 over SSL
ExitPolicy accept *:1194 # OpenVPN
ExitPolicy accept *:1220 # QT Server Admin
ExitPolicy accept *:1293 # PKT-KRB-IPSec
ExitPolicy accept *:1500 # VLSI License Manager
ExitPolicy accept *:1533 # Sametime
ExitPolicy accept *:1677 # GroupWise
ExitPolicy accept *:1723 # PPTP
ExitPolicy accept *:1755 # RTSP
ExitPolicy accept *:1863 # MSNP
ExitPolicy accept *:2082 # Infowave Mobility Server
ExitPolicy accept *:2083 # Secure Radius Service (radsec)
ExitPolicy accept *:2086-2087 # GNUnet, ELI
ExitPolicy accept *:2095-2096 # NBX
ExitPolicy accept *:2102-2104 # Zephyr
ExitPolicy accept *:3128 # SQUID
ExitPolicy accept *:3389 # MS WBT
ExitPolicy accept *:3690 # SVN
ExitPolicy accept *:4321 # RWHOIS
ExitPolicy accept *:4643 # Virtuozzo
ExitPolicy accept *:5050 # MMCC
ExitPolicy accept *:5190 # ICQ
ExitPolicy accept *:5222-5223 # XMPP, XMPP over SSL
ExitPolicy accept *:5228 # Android Market
ExitPolicy accept *:5900 # VNC
ExitPolicy accept *:6660-6669 # IRC
ExitPolicy accept *:6679 # IRC SSL
ExitPolicy accept *:6697 # IRC SSL
ExitPolicy accept *:8000 # iRDMI
ExitPolicy accept *:8008 # HTTP alternate
ExitPolicy accept *:8074 # Gadu-Gadu
ExitPolicy accept *:8080 # HTTP Proxies
ExitPolicy accept *:8082 # HTTPS Electrum Bitcoin port
ExitPolicy accept *:8087-8088 # Simplify Media SPP Protocol, Radan HTTP
ExitPolicy accept *:8232-8233 # Zcash
ExitPolicy accept *:8332-8333 # Bitcoin
ExitPolicy accept *:8443 # PCsync HTTPS
ExitPolicy accept *:8888 # HTTP Proxies, NewsEDGE
ExitPolicy accept *:9418 # git
ExitPolicy accept *:9999 # distinct
ExitPolicy accept *:10000 # Network Data Management Protocol
ExitPolicy accept *:11371 # OpenPGP hkp (http keyserver protocol)
ExitPolicy accept *:19294 # Google Voice TCP
ExitPolicy accept *:19638 # Ensim control panel
ExitPolicy accept *:50002 # Electrum Bitcoin SSL
ExitPolicy accept *:64738 # Mumble
ExitPolicy reject *:*

It is handy to add the following lines to /etc/services so you can more easily modify your pf configuration.

torproxy 9050/tcp #torsocks
torOR 9090/tcp #torOR
torDIR 9099/tcp #torDIR

To allow TOR services my pf.conf has the following lines:

# interfaces
lan_if=”re0″
wifi_if=”wlan0″
interfaces=”{wlan0,re0}”
tcp_services = “{   ssh torproxy torOR torDIR  }”
# options
set block-policy drop
set loginterface $lan_if
# pass on lo
set skip on lo
scrub in on $lan_if all fragment reassemble
# NAT
nat on $lan_if from $wifi_if:network to !($lan_if) -> ($lan_if)
block all
antispoof for $interfaces

#In NAT
pass in log on $wifi_if inet
pass out all keep state

#ICMP
pass out log inet proto icmp from any to any keep state
pass in log quick inet proto icmp from any to any keep state
#SSH
pass in inet proto tcp to $lan_if port ssh
pass in inet proto tcp to $wifi_if port ssh
#TCP Services on Server
pass in inet proto tcp to $interfaces port $tcp_services keep state

This way torOR torDIR and torproxy will show up in pftop, iftop etc.

The finally part is mapping the ports as follows:

TOR directory port: LANIP:9099 —> WANIP:80

TOR router port: LANIP:9090 —-> WANIP:443

torportforwarding

 

Now enable TOR:

$ sudo echo “tor_enable=YES” >> /etc/rc.conf

Start TOR:

$ sudo service tor start

The default FreeBSD installation runs TOR as user _tor so no further configuration is necessary.

Now check the status using ARM:

$ sudo -u _tor arm

You get a nice pretty scrolling graph and can also check all the connections to your relay!

armmonitor

You can keep track using pftop:

pftop

 

 

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s